Hackers Meet Soldiers

OpenBSD is widely recognized as "one of those other
OSes"--an operating system available, like Linux, without licensing fee, but with its own character
distinct from any other OS. Only recently, though, have people
begun to learn that that the US Defense Advanced Research Projects
Agency (DARPA) partially funds the Canadian-based OpenBSD project. Why is the US military
paying ideology-driven foreign hackers? What's the effect on development of the OS?

Focused on Security

Independent Alberta-based kernel hacker Theo de Raadt
is the creator, overseer, and taskmaster of the OpenBSD project. Security has been a consistent
strength of his professional career. While centered in Canada, the OpenBSD advanced operating
system team De Raadt leads includes members from
around the world.

OpenBSD has focused on security, reliability, and quality since its launch over 7 years ago. The
team follows such standards as POSIX, ANSI, and most
of X/Open. Since 1996, formal audits [see sidebar on security and audits] of the base system's
source code have further buttressed its reputation for security. Thousands of companies, including Adobe and Network
Security Technologies, Inc., use OpenBSD, although many of them keep their choice private for
security reasons.

Security and Audits

"Security" and "audit" mean something different
to OS programmers than they do in civilian life.
Security refers to everything done to protect a
system. This certainly concerns "AAA"
(authentication, authorization, and accounting)
as ways to keep "bad guys" from wreaking havoc,
but also involves a variety of expedients, from
"Are you sure?" buttons to log files, which
protect users from their own mistakes.

An audit is an attested review of quality and integrity
performed by an independent professional.
OpenBSD reviewers carefully study individual programs and
parts of programs, to verify that nothing can go
wrong. "Go wrong" here means,
for example, that the program doesn't burn its
CPU or launch missiles if a user (perhaps accidentally)
enters a longer data-field than expected.

Military Contracts

DARPA has funded OpenBSD through a program known as Composable High Assurance Trusted Systems
(CHATS). The University of Pennsylvania oversees the specific proposal behind this grant, called Portable Open Source Security Elements (POSSE). The
grant money has allowed De Raadt to hire former part-time volunteers as full-time employees. This
staffing accelerated development and provided time for the team to report on its research by writing
academic papers.

De Raadt answered several questions about the contract for this article. He explained that no
development serves only government purposes: "Nearly everything that is being developed is going
into the OpenBSD source tree. All of what we do is free. Any changes which do not go into our
source tree are a result of discarded work: something went wrong, something was not useful, a
semantic is flawed, etc."

Among the OpenBSD implementation projects CHATS has at least partially financed are support for
cryptographic hardware, setuid reduction and daemon cleanup, systrace, the stateful
OpenBSD packet filter pf, and, most recently, stack protection. Changes implemented
through CHATS are likely to migrate to other systems as well. The changes are already licensed as
free software, and they follow what De Raadt calls "Unix semantics" for portability. To ensure that
the code is well understood and able to be shared, the implementation team has been writing papers
about its design and implementation.

Summary of Recent Projects

Even without the detail these formal papers provide, it's possible to understand the essence of
the CHATS projects. setuid reductions, for example, increase the precision of
operation as a privileged user. Certain code, known as a "setuid program", must be run with
heightened security privileges. But if a program runs as root or a similarly privileged identity,
any error or exploit has the potential to damage the entire system. Limiting security settings
restricts the scope and likelihood of such damage.

The traditional Unix-like security provisions for networking illustrate this principle. These
OSes restrict creation of services on the "lower range" of socket ports, such as port 80 for an HTTP
server. This means that the user must have special privileges to create a server on these ports.
Apache, for example, starts as a privileged user to create a server socket on port 80. It then
changes to run as a less powerful user for safety reasons.

OpenBSD reinforces this precaution by changing Apache's root directory (chroot),
along with its user identity. So even if a cracker accesses the system, she'll be able to reach
only the Apache root directory (typically /var/www), rather than the full filesystem
below /, which would likely be accessible with a less secure implementation of Apache.

systrace

The systrace project also manages the relations between programs and the privileges
they exercise. systrace uses configuration files to specify the system calls a program
may make, and what the system calls--including non-native, emulated calls--may do. This restricts a
cracker's ability to use a program for an unintended purpose. A systrace configuration
file for named, for example, might declare:

native-fsread: filename eq "/etc/named.conf" then permit

This restricts named to reading only the file that it should read; even if
named is compromised somehow, OpenBSD prevents it from being "hijacked" to more
dangerous ends.

systrace expressively and elegantly addresses common security vulnerabilities. We
expect to see many system administrators learn and use it soon. Two recent ONLamp articles address
systrace in detail: Systrace and Creating Systrace Policies.

pf

The pf packet filter is another powerful tool. It provides the ability to limit
port and address access across a network interface, does network translation
(NAT/BINAT/redirection), queuing, and other features vital for a server or firewall. Two ONLamp
articles about securing small networks with OpenBSD discuss how to use pf: Introducing pf and NAT with pf in OpenBSD 3.3.

Stack Protection

The execution stack is a common target for attack by buffer overflows and other means. (A recent
ONLamp article about chroot explored buffer
overflows in more detail.) It's characteristic of common hardware architectures that stack
modification can allow a cracker to execute malicious code. The OpenBSD team has come up with a
combination of defenses that reduces the risk of such exploits. Memory pages and ELF sections have
been marked as non-writable and non-executable where possible; this prevents an attacker from
writing his own code into memory and executing it. The team has also cooperated in development of
ProPolice, a tool originally created by
IBM employee Hiroaki Etoh. At runtime, ProPolice checks return addresses and reorganizes variables
to make them more difficult to overflow.

Summary

These initiatives, CHATS and POSSE, and OpenBSD programming ingenuity have generated a variety of
security advances. OpenBSD's liberal license means that the whole world will have the opportunity
to use more secure software. The crack prevention provided by the multitiered approach of stack
protection, non-writable/non-executable areas of memory, and setuid reduction should make life more
difficult for crackers; and, thus, easier for administrators. The proactive security approach that
OpenBSD has used for years is now trickling down into other systems, as big players, including
Microsoft, recognize the importance of secure coding. You can benefit from OpenBSD's advantages and
also support the OpenBSD project by buying a CD.
It's also possible, of course, to download OpenBSD freely
via FTP.

As has been true for many years, the upcoming annual USENIX conference will include presentation
of an OpenBSD security research paper that explains more about an OpenBSD project; in this case,
cryptographic hardware. In the meantime, OpenBSD mailing lists are
the best way to monitor the details of the OS's security advances.

George Peter Staplin
is a student in Utah whose own programming focuses mainly on computer graphics. He works mostly with open-source variants of Unix, including OpenBSD.